Security Alerts: SAMBA, pine, ircd, and More

12/19/2000

Welcome to Security Alerts, an overview of new Unix and open source security-related advisories and news. Problems this week include symlink problems with joe, pico, and samba, a buffer overflow in bftpd, and problems with pine.

SSLDUMP

SSLDUMP, an analyzer for encrypted network traffic similar to tcpdump, can be caused to segfault by malformed network traffic. There is some potential for concern, as the software must be run with root permissions, but to this time no exploit has been published. The author states that he is working on a fix and would like to remind users that SSLDUMP is still beta software.

joe and pico

A small text editor, joe is shipped with many Linux distributions. If joe is closed by a signal, it creates a file named DEADJOE in the directory that it was started in. When it creates this file, it does not check for its existence or whether it is a symbolic link. This can lead to a malicious user corrupting arbitrary files writable by the users who are running joe. It is recommended that users of joe upgrade to the latest release.

Another small text editor, pico is distributed with the pine e-mail client by the University of Washington. Upon an abnormal exit, such as a signal, it saves its buffer in a file in the current directory called filename.save (filename is the name of the buffer). It does this without checking it to see if the file exists or is a symbolic link. As with joe, this can lead to a malicious user corrupting files by overwriting them with the contents of pico's buffer.

While my first reaction to these reports was to not be concerned by either of them, it is important to remember that in the area of security, the system administrator must win every time, and a cracker only has to win once. So while these vulnerabilities have low probability of compromising your system, there is still value in fixing them.

bftpd

There are several security problems with bftpd, a Linux ftp server in versions bftpd-1.0.12 and earlier, such as an exploitable buffer overflow and some format bugs. It is recommended that everyone upgrade to version 1.0.13 or newer as soon as possible.

pine

Under some conditions, pine, an e-mail client from the University of Washington, creates easily guessable temporary files. This can allow a malicious user to write to arbitrary files belonging to the user who is executing and to read e-mail messages being edited by the user. The current version of pine being distributed at this time (pine 4.31) does not fix this problem. A workaround for most platforms is to set the $TMP environment variable to a temporary directory that only the user can write to, such as $HOME/tmp. Even though the current version does not fix this problem, it is still a good idea to upgrade to the latest version, as version 4.30 fixes an exploitable buffer overflow and version 4.31 fixes several potential buffer overflows.

J-Pilot

J-Pilot, a program to back up, manage, and update Palm OS devices, can insecurely set the permissions on its data directory. While this problem is not caused by a bug in J-Pilot, it does demonstrate a class of problems that often go unnoticed. When the user runs J-Pilot for the first time, it creates a .jpilot directory in the user's home directory. The permissions on this directory are set by the user's umask. On many systems, the default umask sets directories to mode 755 (drwxr-xr-x), and files are set to mode 644 (-rw-r--r--). These permissions would allow other users on the system to read the data saved from the Palm OS device. This not only can cause a privacy problem but may expose information saved in the Palm OS device such as passwords, machine information, and information that can be used as part of a social engineering attack. The author of J-Pilot says correctly that using umask can not be considered a bug or a security risk, but on the other side of the coin, one could argue that someone's Palm Pilot data is a special case and should be treated as such. If you or your users are using J-Pilot, you should take a look at the .jpilot directories and set appropriate directory and file permissions.

The umask that saves you from lots of problems day in and day out can cause problems if you do not pay attention to the exceptions. This can be as low threat as a privacy problem or it can cause things such as an exposed copy of a shadow password file.

Samba

Samba provides file and print services to SMB/CIFS clients. It follows symlinks by default, and this can be exploited under some situations to gain root privileges outside the exported (shared) filesystem. When a user has been granted admin privileges to a share, they have root level privileges to that share. As Samba is configured by default to have 'Follow Symlinks' turned on, it will allow root access to anything that is pointed to by a symbolic link. If you are going to grant admin privileges to a share, make sure that the user should have root access to the rest of the file system or turn off 'Follow Symlinks' in the Samba config files.

rp-pppoe

A PPPoE client, rp-pppoe is used with ADSL connections that use PPP. Versions through 2.4 are vulnerable to a denial of service attack using carefully crafted packets if the Clamp MSS option is selected. If you can not upgrade to version 2.5, then you should turn off the Clamp MSS option.

ircd and DNS

Some versions of ircd (the Internet Relay Chat Daemon) have a bug in the way they parse the returned values of a DNS request. A return of a 128-byte answer causes the affected versions of ircd to die. The affected ircds are based on the code in Dalnet's Dreamforge ircd. It has been reported that ircd's hybrid, ircu, and bahamut are not affected. If you are running an ircd based on Dalnet Dreamforge ircd, you should check for an update.